VIRY.CZ

Zdravim, kolegovi hapruje PC, hlasimu to (avast) malware-gen a pry nove i trojana. Instruoval jsem ho, jak nainstalovat RSIT a vytvorit log, nicmene mi poslal tohle (z Combo Fixu). Muzete z toho neco poznat? Jdu k nemu ve ctvrtek to "opravit" a rad bych uz udelal nejake konecne kroky a ne teprve kopiroval log sem. Diky moc.

ComboFix 10-03-01.03 - Michal Pavlík 03.03.2010 10:42:16.2.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1919.1372 [GMT 1:00]
Spuštěný z: c:\documents and settings\Michal Pavlík\Plocha\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 100302-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

VAROVÁNÍ - NA TOMTO POČÍTAČI NENÍ NAINSTALOVÁNA KONZOLA PRO ZOTAVENÍ !!
.

((((((((((((((((((((((((( Soubory vytvořené od 2010-02-03 do 2010-03-03 )))))))))))))))))))))))))))))))
.

2010-03-02 22:01 . 2010-03-02 22:01 148 ----a-w- c:\windows\system32\fjhdyfhsn.bat
2010-03-02 15:50 . 2010-03-02 15:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-02 15:49 . 2010-03-02 15:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-26 09:11 . 2008-04-13 21:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-02-26 09:11 . 2008-04-13 21:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-02-26 09:10 . 2008-04-13 21:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-02-26 09:10 . 2008-04-13 21:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-02-26 09:10 . 2008-04-13 21:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-02-26 09:10 . 2008-04-13 21:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-02-14 12:48 . 2010-02-14 12:48 -------- d-----w- c:\windows\Sun
2010-02-14 12:48 . 2010-02-14 12:48 -------- d-----w- c:\program files\Common Files\Java
2010-02-14 12:47 . 2010-02-14 12:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-14 12:47 . 2010-02-14 12:47 -------- d-----w- c:\program files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-01 20:08 . 2009-08-27 10:06 -------- d-----r- c:\program files\Skype
2010-02-26 09:11 . 2009-08-13 16:05 -------- d-----w- c:\program files\Common Files\Motive
2010-02-24 08:16 . 2009-10-03 07:00 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-01-18 17:14 . 2010-01-18 17:14 0 ----a-w- c:\windows\IMG76.tmp
2010-01-11 15:37 . 2010-01-11 15:36 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-01-11 15:37 . 2009-09-27 10:13 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-01-11 15:37 . 2009-09-27 10:10 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-01-05 09:58 . 2008-03-01 15:02 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 09:57 . 2008-04-27 12:09 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 09:57 . 2008-04-27 12:08 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2008-04-14 02:45 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-17 07:42 . 2009-08-13 15:55 343552 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:10 . 2008-04-14 10:51 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-10 07:32 . 2001-10-25 18:00 79266 ----a-w- c:\windows\system32\perfc005.dat
2009-12-10 07:32 . 2001-10-25 18:00 432334 ----a-w- c:\windows\system32\perfh005.dat
2009-12-09 10:11 . 2008-04-14 10:07 2191360 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-12-09 10:11 . 2008-04-14 06:06 2068224 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2008-04-14 02:47 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-10-19 18:49 . 2009-10-19 18:49 370 ----a-w- c:\program files\graf.m
.

------- Sigcheck -------

[-] 2008-04-27 . 1E603EA2A3FDBAE9E5B88A8CB3C03124 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-10-18 455968]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-10 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-17 1848648]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\windows\system32\qttask.exe" [2009-08-13 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Akceler tor spuçtŘnˇ AutoCADu.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [13.8.2009 18:15 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17.2.2010 10:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17.2.2010 10:15 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [13.8.2009 18:15 20560]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [15.8.2009 11:16 222968]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3.11.2006 18:19 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17.2.2010 10:15 12872]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27.9.2009 11:10 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-10-18 13:25 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Obsah adresáře 'Naplánované úlohy'

2010-03-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2010-03-03 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-09-12 20:18]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Michal Pavlík\Data aplikací\Mozilla\Firefox\Profiles\dba24k3e.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\documents and settings\Michal Pavlík\Data aplikací\Mozilla\Firefox\Profiles\dba24k3e.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\program files\ACE Mega CoDecS Pack\SystemS\RealMedia\Browser\plugins\nppl3260.dll
FF - plugin: c:\program files\ACE Mega CoDecS Pack\SystemS\RealMedia\Browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.
- - - - NEPLATNÉ POLOŽKY ODSTRANĚNÉ Z REGISTRU - - - -

AddRemove-MotiveReportAgent - c:\program files\TO2SAM\McciBrowser.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 10:45
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

c:\docume~1\MICHAL~1\LOCALS~1\Temp\catchme.dll 53248 bytes executable

sken byl úspešně dokončen
skryté soubory: 1

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2010-03-03 10:46:49
ComboFix-quarantined-files.txt 2010-03-03 09:46

Před spuštěním: Volných bajtů: 279 730 237 440
Po spuštění: Volných bajtů: 279 776 047 104

- - End Of File - - 9B1B110FBED8B7E41F944E09F76F0187

Zdravím

Dejte log z RSIT.

Nedoporučuji používat ComboFix z vlastní iniciativy, může dojít k poškození systému!

Obrázek

Kde přesně Avast viry hlásí

Tohle otestujte na http://www.virustotal.com/cs/
c:\windows\system32\sfcfiles.dll

(Soubor nehledejte, jenom vložíte tučně označenou cestu, v případě hlášky "Soubor již byl testován" dejte otestovat znovu. Výsledek analýzy sem vložte.)

Obrázek

Najděte a smažte:
c:\windows\system32\fjhdyfhsn.bat

Logfile of random's system information tool 1.06 (written by random/random)
Run by Michal Pavlík at 2010-03-04 17:07:59
Systém Microsoft Windows XP Professional Service Pack 3
System drive C: has 267 GB (87%) free of 305 GB
Total RAM: 1919 MB (63% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:08:05, on 4.3.2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ICQ6Toolbar\ICQ Service.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\MATLAB\R2006a\webserver\bin\win32\matlabserver.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Michal Pavlík\Dokumenty\RSIT.exe
C:\Program Files\trend micro\Michal Pavlík.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Akcelerátor spuštění AutoCADu.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB\R2006a\webserver\bin\win32\matlabserver.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/MICHAL~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.jpg

--
End of file - 8235 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\WGASetup.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-02-14 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-02-14 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{855F3B16-6D32-4fe6-8A56-BBB695989046} - ICQToolBar - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll [2009-06-01 962808]
{32099AAC-C132-4136-9E9A-4E364A424E17} - DAEMON Tools Toolbar - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll [2009-11-24 953800]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-04-10 16861184]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2006-11-03 866584]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-05 81000]
"CanonSolutionMenu"=C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [2008-03-10 689488]
"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2008-03-17 1848648]
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe [2007-03-01 153136]
"QuickTime Task"=C:\WINDOWS\system32\qttask.exe [2009-08-13 98304]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-01-11 246504]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"=C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2007-10-18 455968]
"DAEMON Tools Lite"=C:\Program Files\DAEMON Tools Lite\DTLite.exe [2009-10-30 369200]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2010-02-18 2012912]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]

C:\Documents and Settings\All Users\Nabídka Start\Programy\Po spuštění
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Akcelerátor spuštění AutoCADu.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2008-02-26 126976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll [2008-04-27 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"=C:\PROGRA~1\WIFD1F~1\MpShHook.dll [2006-11-03 83224]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WinDefend]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\ICQ6.5\ICQ.exe"="C:\Program Files\ICQ6.5\ICQ.exe:*:Enabled:ICQ6"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\Skype\Plugin Manager\skypePM.exe"="C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======File associations======

.scr - open - C:\WINDOWS\system32\notepad.exe "%1"
.scr - install -
.scr - config -

======List of files/folders created in the last 1 months======

2010-03-04 17:08:00 ----D---- C:\Program Files\trend micro
2010-03-04 17:07:59 ----D---- C:\rsit
2010-03-03 10:46:49 ----A---- C:\ComboFix.txt
2010-03-03 10:03:02 ----D---- C:\WINDOWS\Minidump
2010-03-02 23:01:47 ----A---- C:\WINDOWS\system32\fjhdyfhsn.bat
2010-03-02 22:54:47 ----A---- C:\WINDOWS\MBR.exe
2010-03-02 22:54:46 ----A---- C:\WINDOWS\zip.exe
2010-03-02 22:54:46 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-03-02 22:54:46 ----A---- C:\WINDOWS\SWSC.exe
2010-03-02 22:54:46 ----A---- C:\WINDOWS\SWREG.exe
2010-03-02 22:54:46 ----A---- C:\WINDOWS\sed.exe
2010-03-02 22:54:46 ----A---- C:\WINDOWS\PEV.exe
2010-03-02 22:54:46 ----A---- C:\WINDOWS\NIRCMD.exe
2010-03-02 22:54:46 ----A---- C:\WINDOWS\grep.exe
2010-03-02 22:54:07 ----D---- C:\WINDOWS\ERDNT
2010-03-02 22:51:51 ----D---- C:\Qoobox
2010-03-02 16:50:13 ----D---- C:\Documents and Settings\All Users\Data aplikací\SUPERAntiSpyware.com
2010-03-02 16:50:06 ----D---- C:\Program Files\SUPERAntiSpyware
2010-03-02 16:50:06 ----D---- C:\Documents and Settings\Michal Pavlík\Data aplikací\SUPERAntiSpyware.com
2010-03-02 16:49:51 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-02-24 13:20:08 ----HDC---- C:\WINDOWS\$NtUninstallKB979306$
2010-02-14 13:48:18 ----D---- C:\WINDOWS\Sun
2010-02-14 13:48:06 ----D---- C:\Documents and Settings\All Users\Data aplikací\Sun
2010-02-14 13:48:05 ----D---- C:\Program Files\Common Files\Java
2010-02-14 13:47:46 ----A---- C:\WINDOWS\system32\javaws.exe
2010-02-14 13:47:46 ----A---- C:\WINDOWS\system32\javaw.exe
2010-02-14 13:47:46 ----A---- C:\WINDOWS\system32\java.exe
2010-02-14 13:47:46 ----A---- C:\WINDOWS\system32\deploytk.dll
2010-02-14 13:47:30 ----D---- C:\Program Files\Java
2010-02-14 13:46:58 ----D---- C:\Documents and Settings\Michal Pavlík\Data aplikací\Sun
2010-02-10 13:53:15 ----HDC---- C:\WINDOWS\$NtUninstallKB978262$
2010-02-10 13:52:59 ----HDC---- C:\WINDOWS\$NtUninstallKB971468$
2010-02-10 13:52:56 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-02-10 13:52:52 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$
2010-02-10 13:52:49 ----HDC---- C:\WINDOWS\$NtUninstallKB978251$
2010-02-10 13:52:45 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-02-10 13:52:40 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-02-10 13:52:18 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$
2010-02-10 13:52:10 ----HDC---- C:\WINDOWS\$NtUninstallKB977165$

======List of files/folders modified in the last 1 months======

2010-03-04 17:08:01 ----D---- C:\WINDOWS\Temp
2010-03-04 17:08:00 ----D---- C:\Program Files
2010-03-04 17:05:13 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-04 17:05:11 ----D---- C:\WINDOWS\Prefetch
2010-03-04 17:05:00 ----D---- C:\Program Files\Mozilla Firefox
2010-03-04 12:32:59 ----SD---- C:\WINDOWS\Tasks
2010-03-03 23:41:22 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-03 10:45:55 ----D---- C:\WINDOWS
2010-03-03 10:45:55 ----A---- C:\WINDOWS\system.ini
2010-03-03 10:44:09 ----D---- C:\WINDOWS\system32\drivers
2010-03-03 10:44:09 ----D---- C:\WINDOWS\system32
2010-03-03 10:44:09 ----D---- C:\WINDOWS\AppPatch
2010-03-03 10:44:05 ----D---- C:\Program Files\Common Files
2010-03-02 17:27:19 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-03-02 17:27:14 ----D---- C:\Program Files\Internet Explorer
2010-03-02 16:50:10 ----SHD---- C:\WINDOWS\Installer
2010-03-01 21:08:11 ----RD---- C:\Program Files\Skype
2010-03-01 19:21:19 ----D---- C:\Documents and Settings\All Users\Data aplikací\CanonIJPLM
2010-02-27 15:36:15 ----HD---- C:\WINDOWS\inf
2010-02-26 10:11:12 ----D---- C:\Program Files\Common Files\Motive
2010-02-24 09:16:06 ----N---- C:\WINDOWS\system32\MpSigStub.exe
2010-02-23 23:53:50 ----D---- C:\Documents and Settings\Michal Pavlík\Data aplikací\Skype
2010-02-23 19:13:33 ----D---- C:\Documents and Settings\Michal Pavlík\Data aplikací\skypePM
2010-02-21 14:44:16 ----D---- C:\Documents and Settings\Michal Pavlík\Data aplikací\ICQ
2010-02-16 23:06:34 ----A---- C:\WINDOWS\NeroDigital.ini
2010-02-10 13:53:17 ----A---- C:\WINDOWS\imsins.BAK
2010-02-10 13:53:15 ----HD---- C:\WINDOWS\$hf_mig$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-02-05 26944]
R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2006-06-19 36864]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-02-05 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-02-05 51376]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS []
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-02-05 94032]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-02-05 23152]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2008-02-26 2863616]
R3 HDAudBus;Ovladač Microsoft UAA pro sběrnici High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-04-17 4707328]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-01-04 105856]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbehci;Ovladač miniportu rozšířeného radiče hostitele Microsoft USB 2.0; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;Rozbočovač umožnující USB2; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Ovladač Miniport otevřeného hostitelského řadiče Microsoft USB; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-14 17152]
S3 akv9n7xv;akv9n7xv; C:\WINDOWS\system32\drivers\akv9n7xv.sys []
S3 catchme;catchme; \??\C:\DOCUME~1\MICHAL~1\LOCALS~1\Temp\catchme.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-02-05 18752]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2008-02-26 520192]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-02-05 138680]
R2 ICQ Service;ICQ Service; C:\Program Files\ICQ6Toolbar\ICQ Service.exe [2009-06-01 222968]
R2 IJPLMSVC;Inkjet Printer/Scanner Extended Survey Program; C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2008-01-22 103808]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-02-14 153376]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-10-18 79136]
R2 matlabserver;MATLAB Server; C:\Program Files\MATLAB\R2006a\webserver\bin\win32\matlabserver.exe [2006-02-02 1359872]
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3; C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2007-09-20 853288]
R2 WinDefend;Windows Defender; C:\Program Files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-02-05 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-02-05 352920]
S3 aspnet_state;Stavová služba ASP.NET; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2009-11-19 85096]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe [2007-11-15 382248]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WMPNetworkSvc;Služba Windows Media Player Network Sharing; C:\Program Files\Windows Media Player\WMPNetwk.exe [2007-01-05 913920]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

OK, ještě proveďte další kroky napsané v předchozím příspěvku.

Antivirus Verze Poslední aktualizace Výsledek
a-squared 4.5.0.50 2010.03.04 -
AhnLab-V3 5.0.0.2 2010.03.04 -
AntiVir 8.2.1.180 2010.03.04 -
Antiy-AVL 2.0.3.7 2010.03.04 -
Authentium 5.2.0.5 2010.03.04 W32/Zhelatin.K.gen!Eldorado
Avast 4.8.1351.0 2010.03.04 -
Avast5 5.0.332.0 2010.03.04 -
AVG 9.0.0.730 2010.03.04 -
BitDefender 7.2 2010.03.04 -
CAT-QuickHeal 10.00 2010.03.04 -
ClamAV 0.96.0.0-git 2010.03.04 -
Comodo 4091 2010.02.28 -
DrWeb 5.0.1.12222 2010.03.04 -
eSafe 7.0.17.0 2010.03.04 -
eTrust-Vet 35.2.7339 2010.03.04 -
F-Prot 4.5.1.85 2010.03.03 -
F-Secure 9.0.15370.0 2010.03.04 -
Fortinet 4.0.14.0 2010.03.04 -
GData 19 2010.03.04 -
Ikarus T3.1.1.80.0 2010.03.04 -
Jiangmin 13.0.900 2010.03.04 -
K7AntiVirus 7.10.989 2010.03.03 -
Kaspersky 7.0.0.125 2010.03.04 -
McAfee 5909 2010.03.03 -
McAfee+Artemis 5909 2010.03.03 -
McAfee-GW-Edition 6.8.5 2010.03.04 -
Microsoft 1.5502 2010.03.04 -
NOD32 4914 2010.03.04 -
Norman 6.04.08 2010.03.03 -
nProtect 2009.1.8.0 2010.03.04 -
Panda 10.0.2.2 2010.03.03 -
PCTools 7.0.3.5 2010.03.04 -
Prevx 3.0 2010.03.04 -
Rising 22.37.03.04 2010.03.04 -
Sophos 4.51.0 2010.03.04 -
Sunbelt 5748 2010.03.04 -
Symantec 20091.2.0.41 2010.03.04 -
TheHacker 6.5.1.7.220 2010.03.04 -
TrendMicro 9.120.0.1004 2010.03.04 -
VBA32 3.12.12.2 2010.03.04 -
ViRobot 2010.3.4.2212 2010.03.04 -
VirusBuster 5.0.27.0 2010.03.04 -
Rozšiřující informace
File size: 1571840 bytes
MD5 : 1e603ea2a3fdbae9e5b88a8cb3c03124
SHA1 : 5385e5ae86f23e997f7e163bb50f9c3d1e4700ce
SHA256: 7ab31194c162ee4411168a3016f99540735decd6267848a0401a4633ef28acd6
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x120D
timedatestamp.....: 0x48025231 (Sun Apr 13 20:34:25 2008)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xCBF 0xE00 5.89 ccd83c1e26e262720c731cb56f817e7b
.data 0x2000 0x1744A8 0x174600 3.26 e86b3aa864cf445485608059f5a8f395
.rsrc 0x177000 0x408 0x600 2.49 d801e5df1215023e9c2b4a081bd7cb32
.reloc 0x178000 0x9CFC 0x9E00 5.77 7a58ceb675c48048ea9a69c7643e68d2

( 1 imports )

> ntdll.dll: LdrDisableThreadCalloutsForDll, NtClose, NtQueryValueKey, NtOpenKey, RtlInitUnicodeString, RtlGetVersion, NtTerminateProcess, RtlUnhandledExceptionFilter, RtlUnwind, NtQueryVirtualMemory

( 1 exports )

> SfcGetFiles
TrID : File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ssdeep: 3072:vH+SebH/3EwKAPPrSMpxo7KmKo2IgYohuFII4K83y7v+152+MAVIv3eNrCW:vco8ppx2K+RFnEyD+vHErW
sigcheck: publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows 2000 System File Checker
original name:
internal name:
file version.: 5.1.2600.5512 (xpsp.080413-2111)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEiD : -
RDS : NSRL Reference Data Set

Pokud nemáte, přesuňte Combofix na plochu

Otevřete si Poznámkový blok a zkopírujte do něj text z bílého okénka.

Kód: Vybrat vše

Restore::
c:\windows\system32\sfcfiles.dll

Uložte Vámi vytvořený TXT soubor jako CFScript.txt na plochu
Po uložení uchopte vámi vytvořený skript levým myšítkem a přesuňte ho nad ikonu Combofixu, kde ho upustíte:
Po aplikaci na Vás vypadne další log,vložte ho sem

Může se stát, že po aplikaci skriptu a restartu Windows nenaběhnou, v tom případě znovu restartujte a přitom mačkejte F8, pak zvolte Poslední známou funkční konfiguraci

ComboFix 10-03-01.03 - Michal Pavlík 04.03.2010 17:34:57.3.1 - x86
Systém Microsoft Windows XP Professional 5.1.2600.3.1250.420.1029.18.1919.1315 [GMT 1:00]
Spuštěný z: c:\documents and settings\Michal Pavlík\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\Michal Pavlík\Plocha\CFScript.txt.txt
AV: avast! antivirus 4.8.1335 [VPS 100304-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\sfcfiles.dll . . . je infikován!!

.
((((((((((((((((((((((((( Soubory vytvořené od 2010-02-04 do 2010-03-04 )))))))))))))))))))))))))))))))
.

2010-03-04 16:08 . 2010-03-04 16:08 -------- d-----w- c:\program files\trend micro
2010-03-04 16:07 . 2010-03-04 16:08 -------- d-----w- C:\rsit
2010-03-02 15:50 . 2010-03-02 15:50 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-02 15:49 . 2010-03-02 15:49 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-26 09:11 . 2008-04-13 21:10 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-02-26 09:11 . 2008-04-13 21:10 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-02-26 09:10 . 2008-04-13 21:11 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-02-26 09:10 . 2008-04-13 21:11 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-02-26 09:10 . 2008-04-13 21:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-02-26 09:10 . 2008-04-13 21:11 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-02-14 12:48 . 2010-02-14 12:48 -------- d-----w- c:\windows\Sun
2010-02-14 12:48 . 2010-02-14 12:48 -------- d-----w- c:\program files\Common Files\Java
2010-02-14 12:47 . 2010-02-14 12:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-14 12:47 . 2010-02-14 12:47 -------- d-----w- c:\program files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-01 20:08 . 2009-08-27 10:06 -------- d-----r- c:\program files\Skype
2010-02-26 09:11 . 2009-08-13 16:05 -------- d-----w- c:\program files\Common Files\Motive
2010-02-24 08:16 . 2009-10-03 07:00 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-01-18 17:14 . 2010-01-18 17:14 0 ----a-w- c:\windows\IMG76.tmp
2010-01-11 15:37 . 2010-01-11 15:36 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-01-11 15:37 . 2009-09-27 10:13 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-01-11 15:37 . 2009-09-27 10:10 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-01-05 09:58 . 2008-03-01 15:02 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 09:57 . 2008-04-27 12:09 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 09:57 . 2008-04-27 12:08 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-31 16:50 . 2008-04-14 02:45 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-17 07:42 . 2009-08-13 15:55 343552 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:10 . 2008-04-14 10:51 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-10 07:32 . 2001-10-25 18:00 79266 ----a-w- c:\windows\system32\perfc005.dat
2009-12-10 07:32 . 2001-10-25 18:00 432334 ----a-w- c:\windows\system32\perfh005.dat
2009-12-09 10:11 . 2008-04-14 10:07 2191360 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-09 10:11 . 2008-04-14 06:06 2068224 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2008-04-14 02:47 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-10-19 18:49 . 2009-10-19 18:49 370 ----a-w- c:\program files\graf.m
.

------- Sigcheck -------

[-] 2008-04-27 . 1E603EA2A3FDBAE9E5B88A8CB3C03124 . 1571840 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-03-03_09.45.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-04 16:31 . 2010-03-04 16:31 16384 c:\windows\Temp\Perflib_Perfdata_6e8.dat
+ 2010-03-04 16:31 . 2010-03-04 16:31 16384 c:\windows\Temp\Perflib_Perfdata_5a0.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-10-18 455968]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-10 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-17 1848648]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"QuickTime Task"="c:\windows\system32\qttask.exe" [2009-08-13 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\All Users\Nabˇdka Start\Programy\Po spuçtŘnˇ\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Akceler tor spuçtŘnˇ AutoCADu.lnk - c:\program files\Common Files\Autodesk Shared\acstart17.exe [2006-3-5 11000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [13.8.2009 18:15 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17.2.2010 10:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17.2.2010 10:15 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [13.8.2009 18:15 20560]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [15.8.2009 11:16 222968]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3.11.2006 18:19 13592]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [27.9.2009 11:10 691696]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17.2.2010 10:15 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-10-18 13:25 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Obsah adresáře 'Naplánované úlohy'

2010-03-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 17:20]

2010-03-04 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-09-12 20:18]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xportovat do aplikace Microsoft Office Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Michal Pavlík\Data aplikací\Mozilla\Firefox\Profiles\dba24k3e.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://www.seznam.cz/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\documents and settings\Michal Pavlík\Data aplikací\Mozilla\Firefox\Profiles\dba24k3e.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\program files\ACE Mega CoDecS Pack\SystemS\RealMedia\Browser\plugins\nppl3260.dll
FF - plugin: c:\program files\ACE Mega CoDecS Pack\SystemS\RealMedia\Browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-04 17:37
Windows 5.1.2600 Service Pack 3 NTFS

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Celkový čas: 2010-03-04 17:38:00
ComboFix-quarantined-files.txt 2010-03-04 16:37
ComboFix2.txt 2010-03-03 09:46

Před spuštěním: Volných bajtů: 279 785 136 128
Po spuštění: Volných bajtů: 279 756 914 688

WindowsXP-KB310994-SP2-Pro-BootDisk-CSY.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 8F026A13A1D540C3442699697A7AF639

Jak to vypadá s PC

No, viry uz to nehlasi, zrychlil se, ale nejdou USB porty, tiskarna ani flash nereaguji.

Odinstalujte všechny emulátory virtuálních mechanik.

Obrázek

Stáhněte SPTD http://www.duplexsecure.com/en/downloads

Vyberte verzi podle svého operačního systému (64 & 32b). Uložte na plochu a spusťte.
zvolte možnost Uninstall a restartujte PC.

Stáhněte MBR na plochu http://www2.gmer.net/mbr/mbr.exe

Obrázek

Start > Spustit (Win + R)

Vyskočí okénko, zkopírujte do něj:

Kód: Vybrat vše

"%userprofile%\plocha\mbr" -t

Klikněte na OK

Vytvoří se log s názvem mbr.log, vložte ho sem.

Dejte log z Gmer http://www.viry.cz/forum/viewtopic.php?f=29&t=62878

Stáhněte SPTD http://www.duplexsecure.com/en/downloads

* Vyberte verzi podle svého operačního systému (64 & 32b). Uložte na plochu a spusťte.
* zvolte možnost Uninstall a restartujte PC.

Možnost Unistall mi to nenabízí, jen Install.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-03-04 17:55:41
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\MICHAL~1\LOCALS~1\Temp\uwtdypow.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xAEF3C82E]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xAEF3C678]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xAEF3C7AC]
Code \??\C:\DOCUME~1\MICHAL~1\LOCALS~1\Temp\catchme.sys pIofCallDriver
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

OK, ještě druhý log z Gmer.

pracuje se na nem, trva desne dlouho

VIRY.CZ

Prosim o kontrolu, trojan, malware-gen

Prosim o kontrolu, trojan, malware-gen

Re: Prosim o kontrolu, trojan, malware-gen

Re: Prosim o kontrolu, trojan, malware-gen

Re: Prosim o kontrolu, trojan, malware-gen

Re: Prosim o kontrolu, trojan, malware-gen

Re: Prosim o kontrolu, trojan, malware-gen

Re: Prosim o kontrolu, trojan, malware-gen

Re: Prosim o kontrolu, trojan, malware-gen

Re: Prosim o kontrolu, trojan, malware-gen

Re: Prosim o kontrolu, trojan, malware-gen

Re: Prosim o kontrolu, trojan, malware-gen

Re: Prosim o kontrolu, trojan, malware-gen

Re: Prosim o kontrolu, trojan, malware-gen

Re: Prosim o kontrolu, trojan, malware-gen

Re: Prosim o kontrolu, trojan, malware-gen